Merchants' checkout pages were accidentally made searchable on Google.

Bitcoin wallet service Coinbase has publicly, and presumably accidentally, exposed information about its merchants' names, e-mail addresses, and product details on the Coinbase website. The exposed e-mail addresses have become the target of phishing attacks. Update: Coinbase says only certain Coinbase merchants had their email addresses exposed. No transaction receipts were leaked, as this story originally stated. See below for details.

The URLs of the pages label them "checkouts," and they appear to be transaction receipts. One was a 0.05 BTC ($6.85) transaction labeled as a donation. Another was a $980 transaction for "8 managed VPS hosts" from a company called cachedd. A third was a 229.99 BTC ($31,508) transaction for "AVALANCHE SPA POWDER."

In a Thursday blog post, Coinbase warned users to "beware of a phishing attack." Someone has been sending e-mails to Coinbase users claiming that they need to log in to confirm recent transactions but directing them to a website not controlled by Coinbase. Late Friday morning, the leaked information was still publicly available on the Coinbase website.

There's no evidence of a security problem with the Coinbase site. Provided users don't fall for the phishing scheme, their funds should be safe.

Update: Coinbase responds:

Your information is not going to be shown on one of these pages unless you created a "buy now"/donate button or checkout page and posted a public link to it somewhere. Order pages are designed to be public so customers can reach them, although we should have taken more care to not make them easily indexible by Google.

The email in particular, although we encoded using hex encoding to make it more difficult to scrape, should not be shown on that page. We will take a look today at some ways to get it removed from the Google cache, and avoid having these pages indexed. Will post an official response on our blog shortly. Sorry for the scare!

In short - no customer information is public. Only the emails of a subset of merchants who have placed their widgets on public websites.

Correction: A previous version of the story described the pages Google indexed as "transaction receipts," but Coinbase says they're actually merchants' product pages. According to Coinbase, "there wasn't any transaction data, customer data, or receipts leaked," though they say that displaying merchants' email addresses was a mistake. We've updated the story accordingly and we regret the error.

Disclosure: I own some bitcoins, including 1.7 BTC in a Coinbase account.

You know for an entire currency that's built around encryption protocols for the actual standard itself to operate - these Bitcoin wallet operators are exceedingly pathetic in their security.

Edit: God dammit, I did use my good e-mail address for my Coinbase account. That I only used once. Ugh.

Better off managing your wallet offline by yourself for the time being. It is interesting that people would use a third party to manage their wallet in the first place. Would you let someone else hold your real physical wallet?

Someone made off like a bandit on the bath salts, but following the bitcoin drama for the last couple months, I still can't figure out what to buy with them.

If you're not a pederast, drug seeker, or money launderer, I can't see why anyone would convert their national currency into a highly volatile currency backed by nothing, just to buy something you can easily use cash for.

Then the vendor runs the risk of this bogus "currency" devaluating at random, putting him in the position to sit on the coins and hope their value goes up, or take the loss and convert the coins back to real currency.

Disclaimer: I grow my own reefer, because I'm too cheap to go out and buy it when it grows in my back yard for free.

Sure, your bitcoins might drop in value suddenly, but they might also appreciate just as rapidly. The risk level is probably on par with penny stocks, so if you're willing to lose everything you might win bigtime.

Well, semi-bigtime. The real money limits on conversions to useful currencies make it hard to make big bucks with Bitcoins right now. MtGox is too much of a mickey mouse operation to really support someone who wants to put in or pull out tens of thousands of bitcoins every day.

You know for an entire currency that's built around encryption protocols for the actual standard itself to operate - these Bitcoin wallet operators are exceedingly pathetic in their security.

Edit: God dammit, I did use my good e-mail address for my Coinbase account. That I only used once. Ugh.

Better off managing your wallet offline by yourself for the time being. It is interesting that people would use a third party to manage their wallet in the first place. Would you let someone else hold your real physical wallet?

I don't have any BTC. To get on an indexing site I needed to donate a certain amount of BTC. I purchased just enough and haven't used it since.

If you're not a pederast, drug seeker, or money launderer, I can't see why anyone would convert their national currency into a highly volatile currency backed by nothing, just to buy something you can easily use cash for.

Many VPNs only accept bitcoin or paypal. A lot of people hate paypal. Even if they (VPN services) accept CCs, the types of ppl who frequent them (which may indeed include your pederasts, drug seekers, etc., but also people who are fed up with, say, deep packet inspections by Comcast) are often the types who want maximum anonymity.

I can't see why anyone would convert their national currency into a highly volatile currency backed by nothing, just to buy something you can easily use cash for.

Then the vendor runs the risk of this bogus "currency" devaluating at random, putting him in the position to sit on the coins and hope their value goes up, or take the loss and convert the coins back to real currency.

The buyer and seller need only hold onto the bitcoins for just a few seconds, while the transaction processes, before converting them back to their local currency. Not much time for volatility, and neither party learns what the other's local currency is.

Someone made off like a bandit on the bath salts, but following the bitcoin drama for the last couple months, I still can't figure out what to buy with them.

If you're not a pederast, drug seeker, or money launderer, I can't see why anyone would convert their national currency into a highly volatile currency backed by nothing, just to buy something you can easily use cash for.

Then the vendor runs the risk of this bogus "currency" devaluating at random, putting him in the position to sit on the coins and hope their value goes up, or take the loss and convert the coins back to real currency.

Disclaimer: I grow my own reefer, because I'm too cheap to go out and buy it when it grows in my back yard for free.

So, you're already a dealer, right? You know that you can use bitcoin for your weed business and make sure you and your clients are safe and anonymous by operating under the radar. But you can do a lot more with bitcoins. If you are a Silk Road vendor, you can pay for your VPN service with bitcoins, or if you have a blog, you can pay WordPress or several other hosting providers with bitcoins. And if you like a blog posting or a podcast, you may be able to donate to the author's tip jar with bitcoins. They make micropayments truly easy to manage.

Timothy B. Lee / Timothy covers tech policy for Ars, with a particular focus on patent and copyright law, privacy, free speech, and open government. His writing has appeared in Slate, Reason, Wired, and the New York Times.